Cyber-attacks cost companies and individuals billions of dollars. A report in 2015 estimated that cyber-attacks cost companies over $400 billion annually. In addition to the financial costs, cyber-attacks may result in other damages such as the destruction of valuable information, the release of sensitive information, and so on. The costs and damages will surely increase over time without effective defenses. Cyber-attacks often rely on malicious software, referred to as “malware,” which is installed and executed by a computer that is the target of the attack. The executing malware orchestrates the attack. For example, a ransomware attack may encrypt all the data on a computer, including the only copy of financial documents, family photographs, electronic mail messages, and so on. If the ransom is not paid, then the data may remain encrypted forever. Even if the ransom is paid, the attacker might not provide the key to decrypt the data. Because of the high costs of cyber-attacks, companies and individuals expend considerable resources in developing and purchasing security systems as defenses to cyber-attacks. These security systems include firewall systems, antivirus systems, authentication systems, intrusion prevention systems, access control systems, application blocking systems, and so on.
Malware can be installed on a computer in various ways. For example, ransomware may arrive as an email attachment that contains garbled content and a malicious macro. When the user opens the attachment, the attachment requests the user to enable macros if the content appears garbled. When the user enables the macros, the malicious macro installs and executes the ransomware. As another example, an employee of a corporation may install an unauthorized application on their computer. Normally, the information technology group of a corporation analyzes and authorizes only those applications that meet the strict security standards of the corporation. If an unauthorized application is installed, it can expose all the computers on the network of the corporation to vulnerabilities that significantly increase the chance of a cyber-attack against the corporation.
An organization may have thousands of servers and thousands of user computers (e.g., desktops and laptops) connected to its network. The servers may each be a certain type of server, such as a load balancing server, a firewall server, a database server, an authentication server, a personnel management server, a web server, a file system server, and so on. In addition, the user computers may each be a certain type, such as a management computer, a technical support computer, a developer computer, a secretarial computer, and so on. Each server and user computer may have various applications installed that are needed to support the function of the computer. Because of the various types of servers and user computers, such a network is referred to as a “hybrid environment.”
It can be a difficult task to ensure that each computer can execute only authorized applications. As used herein, the term “application” refers to any software that can be separately identified and executed, such as application programs, applets, dynamic-link libraries, operating system software, scripts, add-ins, operating system drivers, and so on. To help support this difficult task, security tools may be installed on each computer to help ensure that only certain authorized applications are allowed to execute on each computer. The security tool may allow an administrator to generate an allowed list for each computer that lists the authorized applications that are allowed to be executed by that computer. When the operating system executing on a computer receives a request to execute an application, the operating system asks the security tool whether to allow the execution. If the application is in the allowed list, the security tool indicates that execution is allowed. Otherwise, the security tool indicates that the execution is to be blocked.
The maintaining of the allowed lists for the computers in a large organization can be a daunting task. In addition to the initial setup of the allowed lists, an administrator needs to update the allowed lists as the needs of the organization change, as new versions of applications are released, as new computers come online, and so on. Moreover, an improperly maintained allowed list can expose the organization to vulnerabilities such as cyber-attacks.